How to Disable XML-RPC for WordPress?

Disable XML-RPC for WordPress

Are you looking to disable XML-RPC for WordPress websites?

The legacy WordPress feature has seen its prime days, but now it is getting replaced by innovative technology.

In this quick tutorial we will see what it does, its security risks and how we can disable it with and without installing a plugin.

What is XML-RPC?

XML-RPC is short for Extensible Markup Language Remote Procedure Call. XML-RPC for WordPress is a WordPress feature that enables remote connection between the website and external application. The connection is used to send the data in XML format.

The internet was not that mature and connected in the earlier days. So features like this were useful, as the person could write the content offline and publish it later.

But with the development of Rest API and FastAPI, the time has changed. Now the XML-RPC feature has become more of a security risk than any advantage. It would be better to disable it.

Why Disable XML-RPC?

As XML-RPC can connect the external application with your website, it creates various security risks. Two major security risks with XML-RPC are:

Brute Force Attacks: In brute force attacks, the hackers use a large number of admin ID and password combinations to guess the correct one. In a regular login scenario, you can block the IP address after a certain number of incorrect passwords, add questions to the login page, change the login URL and even add the captcha to the login page. But the XML-RPC ignores all the WordPress login security functions.

Hence, hackers can use the XML-RPC injection to perform a brute force attack.

DDOS Attack: In DDoS attack, hackers send lots of traffic and data to WordPress website. The bots eat up the resources and bandwidth, causing the downtime and website crash. XML-RPC can be used to create thousands of pingbacks causing the website shutdown due to overuse.

How to Disable XML-RPC with Plugin?

Like for every function, there is a WordPress plugin to disable XML-RPC. But in this case, we are going to use the most popular one.

Disable XML-RPC API

Disable XML-RPC API WordPress Plugin

However, if you have already installed a security plugin on your WordPress website, take a look whether there is already a function in the plugin to disable XML-RPC. Many security plugins have inbuilt features for this.

Install and activate the Disable XML-RPC API plugin. Once activated, the plugins will automatically disable the XML-RPC for you. You do not have to take any extra steps.

How to Disable XML-RPC without Plugin?

WordPress plugins are easy, but not always the best solution. They add bloats to WordPress, and affect website resources. Plugins with a single function often do not get updates regularly, and become a security hazard.

So, disabling XML-RPC without a plugin is also an option.

On Apache

On Apache web server, you have to add a line of code to the htaccess file.

NOTE: You can find the .htacess file in the cPanel. Navigate to cPanel → File Manager → public_html → .htaccess. Edit the file and add the code at the end of file.

Code:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

NOTE: Dealing with .htaccess files could be dangerous. Please learn about its functions and importance before modifying it. If you have never done it before, please take a complete backup of the WordPress website before making any changes.

On NginX

On the NginX server, you have to add a line of code to the NginX config file.

location ~* ^/xmlrpc.php$ {
return 403;
}

NOTE: Dealing with Nginx config files could be dangerous. Please learn about its functions and importance before modifying it. If you have never done it before, please take a complete backup of the WordPress website before making any changes.

Wrap Up

Once you disable the XML-RPC on your WordPress website, it will throw a 403 error on loading. You can test by opening this URL: https://yourwebsite.com/xmlrpc.php. Replace YourWebsite with your domain.

We have tried several methods to disable XML-RPC in this article, with and without plugin. If it still does not work, you have to contact your hosting provider. The tech team would know what is stopping it from happening.

I hope this article helped you in understanding and disabling the XML-RPC for your WordPress website. It will make the WordPress website more secure.

Latest WordPress Tips, Guides, & News

Stay updated with new stuff in the WP ecosystem including exclusive deals, how-to articles, new plugins, and more. 100% WordPress Goodness, a promise!

Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top

We can help you. Right now.

Fast growing merchants depend ServerGuy for high-performance hosting. Experience counts. Let's get started.

Talk to a sales representative

USA / Worldwide

+1.714.2425683

India

+91.9852704704

Core Web Vitals Book COver

Is your website ready for Core Web Vitals?

Take this FREE book with you and optimize your store for speed.

Learn all about new Google new ranking factors and get that top ranking.